Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Content Security policy for OpenSearch Dashboards #5917

Closed
gupta-mayank opened this issue Feb 22, 2024 · 12 comments
Closed

[BUG] Content Security policy for OpenSearch Dashboards #5917

gupta-mayank opened this issue Feb 22, 2024 · 12 comments
Assignees
@seraphjiang @tianleh
Labels
bug Something isn't working

Comments

@gupta-mayank
Copy link

CSP Policy for OpenSearch Dashboards

We have been using OpenSearch Dashboards as a primary tool to visualize logs for triaging and get other insights from the logs. Of late, we have run some testing on the OpenSearch Dashboards(ver 2.11.1) and found that the value for Content-Security-Policy(CSP) response header has 'unsafe-eval' and 'unsafe-inline' for script-src and style-src directives. This makes it easy to inject malicious code that will not be blocked by the browser (due to 'unsafe-eval' & 'unsafe-inline' in the CSP). This is a major security issue and hence we would like to know if there is a setting that we should apply or a workaround so that the security risk can be mitigated.

We have tried removing the unsafe directives from the CSP header (via our proxy) but the application fails to intialize properly in the browser. We have also explored the possibility of using 'nonce' with 'strict-dynamic' directives but looks like opensearch dashboards does not give any options/configurations to enable this. Removing the CSP header entirely would not be valid solution either as the code still remains vulnerable.

Any suggestions or guidance on this will be really helpful.

More strict CSP as applicable.

Opensearch 2.11.1
OpenSearch Dashboards 2.11.1

image
@gupta-mayank gupta-mayank added bug Something isn't working untriaged labels Feb 22, 2024
@kavilla
Copy link
Member

kavilla commented Feb 22, 2024
edited
Loading

Hello @gupta-mayank,

I believe this is a duplicate of: #5639.

@tianleh do you mind verifying if your contribution will be mitigating this issue as well?

@tianleh
Copy link
Member

tianleh commented Feb 22, 2024

My related change is for mitigating Clickjacking vulnerability, specifically the directive frame-ancestors in CSP rules.

The current issue by @gupta-mayank is about the directives script-src and style-src in CSP rules.

While the infrastructure to be introduced by my issue will help customers specify hot reloading CSP rules, choosing values to use for script-src and style-src is a different problem.

@kavilla

cc @seraphjiang

@seraphjiang
Copy link
Member

@tianleh the solution for CSP should be supported without additional effort according to your current design which is to set the whole CSP policy that include the iframe related policy as well as other.

If yes, it issue should be covered. if not, could you share what's the gap to extend the solution to support this case.

@tianleh
Copy link
Member

tianleh commented Feb 26, 2024

@tianleh the solution for CSP should be supported without additional effort according to your current design which is to set the whole CSP policy that include the iframe related policy as well as other.

If yes, it issue should be covered. if not, could you share what's the gap to extend the solution to support this case.

Yes. From this perspective, the issue is covered. @seraphjiang

cc @kavilla

@wbeckler
Copy link

it's possible to specify CSP settings (for example, csp.strict: true) in the configuration file. See https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/src/core/server/csp/config.ts#L38 for the full configuration options.

@wbeckler
Copy link

Today, there are a range of dependencies that block a stricter CSP. See the appendix here: #4306

@tianleh
Copy link
Member

tianleh commented Feb 27, 2024

"We have also explored the possibility of using 'nonce' with 'strict-dynamic' directives but looks like opensearch dashboards does not give any options/configurations to enable this."

csp.rules in OSD YML can be used in this syntax

csp.rules: ["script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self';"]

@gupta-mayank
Copy link
Author

@tianleh ,is there a way to turn on the nonce attributes for all the script and style elements that get loaded when the dashboards is initialized on the browser? I see a condition(s) in the minified code that conditionally sets the nonce attribute for the script elements like this:
if (webpack_require.nc) {
script.setAttribute("nonce", webpack_require.nc)
}
Is there a way to turn this on via the configuration?
Also, will it be possible to avoid using 'unsafe-eval' and 'unsafe-inline' via some configuration?

@tianleh
Copy link
Member

tianleh commented Mar 7, 2024

@tianleh ,is there a way to turn on the nonce attributes for all the script and style elements that get loaded when the dashboards is initialized on the browser? I see a condition(s) in the minified code that conditionally sets the nonce attribute for the script elements like this:
if (webpack_require.nc) {
script.setAttribute("nonce", webpack_require.nc)
}
Is there a way to turn this on via the configuration?
Also, will it be possible to avoid using 'unsafe-eval' and 'unsafe-inline' via some configuration?

checking

@gupta-mayank
Copy link
Author

@tianleh , could you please let me know if you had the opportunity to check on this?

@tianleh
Copy link
Member

tianleh commented Mar 18, 2024

@tianleh , could you please let me know if you had the opportunity to check on this?

Have been busy with 2.13.0 release recently with code freeze date 3/19/2024. Will check again this week after release.

@tianleh
Copy link
Member

tianleh commented Mar 23, 2024

  1. The nonce syntax has been deprecated. See the code reference
    https://github.com/opensearch-project/OpenSearch-Dashboards/blame/27d73ab263a1663f90981d816ac77fb7660553d3/src/core/server/config/deprecation/core_deprecations.ts#L91

  2. The key problem is that OSD will fail to load if you remove them.

See the comment #5917 (comment) why stricter CSP is not supported.

@tianleh tianleh closed this as completed Mar 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@seraphjiang seraphjiang

@tianleh tianleh

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@seraphjiang @wbeckler @gupta-mayank @kavilla @abbyhu2000 @tianleh